Rustock takedown: US hosting providers drawn into the fallout

As reported by Computer Weekly late last week, US marshals disconnected the botnet command-and-control (C&C) servers at the operations centres of seven ISPs across the US.

According to a weekend report by security researcher Brian Krebs, one of these ISPs was Wholesale Internet of Kansas City, where the manager arrived as his offices on March 16 to find "two US marshals, a pair of computer forensics experts and a Microsoft lawyer had come calling."

Weeks earlier, says Krebs, Microsoft had convinced a federal judge to let the software giant seize control of server hard drives and reroute internet addresses as part of a carefully timed takedown of the Rustock botnet.

Interestingly, the security researcher says that only two of the control servers were located outside the US, with the US C&C servers apparently hosted on smaller ISPs across Middle America.

Some newswire reports suggest that the botnet operators selected their ISPs based on the fact they were smaller concerns and offered semi-automated facilities to clients.

This suggestion is borne out by Krebs' research into the US hosting providers who were subject to visits from various agencies, which he has turned into a drill-down map of the ISPs concerned.

The security researcher quotes the manager of Wholesale Internet as saying that he had not heard anything about the problematic servers from either Spamhaus or Shadowserver, which allow ISPs and hosting providers to receive reports about apparent botnet control servers and bot infections on their networks.

"Both Shadowserver and Spamhaus dispute this claim, saying that while they certainly did not alert Wholesale to all of the problem internet addresses that it may have had on its network, they filed several reports with the company over the past six months that should have given the company cause to take a closer look at its customers and systems", he noted in his security blog.

Krebs also quotes Mark Rasch, a former computer crimes prosecutor for the US Justice Department, as saying that, when you treat hard drives a piece of kit, as opposed to a repository of information - some of which may be relevant to the case and some of which is not - you could run into a lot of trouble.

"We need to have a better, more efficient way of shutting down botnets in the US and internationally. I'd prefer that there was a separate remedy at our disposal that had privacy protections built-in", he told the security researcher.

Reaction to the Rustock takedown last week has been positive. Joe Stewart, director of malware research Dell SecureWorks, said that his team have been monitoring dozens of Rustock C&C servers, all of which are now completely down.

"These efforts reflect an anti-botnet technique which I call `offence-in-depth' - where an entity uses multiple layers of tactics to deny profit to a criminal operation over an extended period of time", he said.

This situation, he went on to say, is similar to the efforts taken against Conficker by the Conficker Working Group.

"However, unlike Conficker, it is not possible to predict the Rustock generated domains in advance, so it's essentially a perpetual race between the Microsoft anti-Rustock group and the botmaster for as long as the victim computers remain infected by Rustock", he explained.

According to Stewart, Rustock was suppressed by a good deal of coordination, resources and technical insight.

The Microsoft anti-Rustock group, he said, clearly did its homework to fully understand the Rustock code, and it seems they are committed to a long-term suppression effort.

"This technique can certainly be used with many other botnets, which may in fact be easier, as Rustock is an above-average foe", he added.